Mozilla Foundation Security Advisory 2010-73

Heap buffer overflow mixing document.write and DOM insertion

Announced

October 27, 2010

Reporter

Morten Kråkvik

Impact

Critical

Products

Firefox, SeaMonkey, Thunderbird

Fixed in

Firefox 3.5.15

Firefox 3.6.12

SeaMonkey 2.0.10

Thunderbird 3.0.10

Thunderbird 3.1.6

Description

Morten Kråkvik of Telenor SOC reported an exploit
targeting particular versions of Firefox 3.6 on Windows XP that
Telenor found while investigating an intrusion attempt on a customer
network. The underlying vulnerability, however, was present on both
the Firefox 3.5 and Firefox 3.6 development branches and affected all
supported platforms.

Reading mail in Thunderbird does not pose a risk to
users, however the vulnerability is present and could be triggered in
RSS feeds if JavaScript is enabled or by an add-on that enables
browser-like functionality.